What are the differences between security mode="Transport" and security mode="TransportCredentialOnly"

Question

What are the differences between security mode="Transport" and security mode="TransportCredentialOnly" when I use it with BasicHttpBinding and setup ssl in ISS 7.0?

score 43 · Accepted Answer · edited Jun 25 '17 at 07:14

43

Check here: http://developers.de/blogs/damir_dobric/archive/2006/07/31/890.aspx and http://msdn.microsoft.com/en-us/library/ff648505.aspx

Transport seems to require HTTPS to encrypt credentials and throws an exception if there is no SSL. TransportCredentialOnly will send the credentials in plain text and unencrypted and is recommended for testing ONLY!

Good Luck!!

edited Jun 25 '17 at 07:14

gius

9,289
3
33
62

answered Dec 19 '10 at 01:32

ItsPronounced

5,475
13
47
86

I still get an error `SOAP Header Missing` when using `TransportCredentialOnly`. I've specified the `ClientCredentials` and the request needs to be sent over http but not luck. Any ideas? – Gareth Feb 13 '19 at 23:24

score 9 · Answer 2 · answered Dec 19 '10 at 01:49

With TransportCredentialOnly security mode, the underlying secure transport layer (usually TLS/SSL) provides the integrity and confidentiality protection for the communication, while SOAP messaging layer handles transporting the client credentials in the SOAP message.

In other words, TransportCredentialOnly security mode passes the user credentials in the SOAP message without encrypting or signing the SOAP message, and the underlying transport connection (typically TLS/SSL) needs to ensure that the message contents cannot be seen or altered by a third-party.

What are the differences between security mode="Transport" and security mode="TransportCredentialOnly"

2 Answers2

Linked